The NIST Cloud Framework
It's hard to determine what we would classify as part of the ‘cloud’, which is why many corporations and organizations follow the National Institute of Standards and Technology (NIST) framework from the U.S Department of Commerce. This framework gives those of us who work in the industry a guideline on how to classify and manage cybersecurity risks and assets based on existing standards, guidelines, and practices.
Table of Contents
NIST Cloud Framework Essential Characteristics
NIST Cloud Framework Common Characteristics
- Massive Scale
- Resilient Computing
- Homogeneity
- Geographic Distribution
- Virtualization
- Service Orientation
- Low Cost Software
- Advanced Security
Types of Cloud Actors
NIST Cloud Framework Essential Characteristics
On Demand Self-Service
Cloud services should be readily available when requested while being able to be quickly set up and installed. There shouldn’t be much need for manual setup and configuration on the users end in terms of building up the raw infrastructure and facilities.
Broad Network Access
Users should be able to access the cloud environment from any place that has an internet connection. There are obviously limitations to the accessibility given the nature of the cloud environment and user privilege settings. Given any limitations the proper security measures should be put in place to make sure that the cloud services are properly secured regardless of where the services are being accessed. Some examples of proper security in the cloud include VPNs, 2 factor authentication, etc. You can read more about cloud security here.
Rapid Elasticity
Organizations should be able to increase or decrease their cloud computational resources as easily as they need to without much issue. This means that cloud technology needs to be able to handle both small and large amounts of traffic at any given time.
Resource Pooling
Usually most cloud technology environments services multiple clients on the same platform. This means that space and resources on a specific cloud service are shared amongst the users instead of being individually provisioned for every new user. There are exceptions to this depending on the security and processing needs of the consumer, but for the most part usually it is acceptable for cloud platforms to pool resources for more efficient cloud operation.
Measured Service
Cloud services aren’t free. Most of the time cloud services would charge their users based on how much of their cloud resources they have consumed. Usually there are specific terms and limits to how much you can use before the charges get progressively higher or lower.
NIST Cloud Framework Common Characteristics
Massive Scale
Most cloud technologies are highly scalable due to the fact that these cloud platforms are hosted in large data centers that are meant specifically to make it easier to add or remove computing systems. They usually come as server racks and can be easily replaced, repaired, and managed when the need arises.
Resilient Computing
Most cloud service providers understand the importance of service uptimes. Cloud resiliency is the ability for a data server, storage system, or even an entire network to recover from any disruptions and continue operations quickly and efficiently. There are technologies that are in place to ensure the seamless experience of these cloud services. Some examples include RAID arrays, UPS devices, and load balancers.
Homogeneity
Some companies like to implement homogeneous cloud systems, where one vendor provides you with your entire cloud infrastructure. This proves useful in that it makes securing, auditing, and testing the cloud services easier for a more seamless experience.
Geographic Distribution
When talking about resilient computing, one aspect of that is the fact the multiple data centers can be distributed across vastly different geographical locations. This provides two benefits for cloud providers. The first being that if one data center goes down due to a natural environmental disaster in the area ,such as an earthquake or a power outage, there are other data centers in different geographical locations that weren’t affected that can continue to provide seamless cloud services. The other advantage is that by strategically placing different data centers in certain locations, it could optimize the network speed of users by letting them access the data center that is closest to them.
Virtualization
One of the benefits of cloud technology is that it usually allows the virtualization of specific environments that users could use. For instance if you want to host your website on a cloud hosting server through HostGator, you have many choices as to how you want to run your website. You could run a react/angular application, a self setup wordpress website, or even a simple raw html file with no frameworks or libraries built on top of it. The ability to use one piece of cloud infrastructure and apply many different platforms on top of it through virtualization allows for a lot of flexibility for its users.
Service Orientation
Since cloud providers know the market that they are providing for, they are able to orient their cloud computing platforms to help make their specific target cloud consumer services and experiences smoother. For instance if a cloud provider knows that its consumers mostly use it for website hosting, then the cloud servers will be built and organized in a way that is optimized for application hosting. Similarly if a cloud provider mainly provides its consumers with transactional services, they will optimize their data center servers accordingly to make transactions faster and more secure.
Low Cost Software
Instead of having to run software on your own network and physical devices which could be costly to maintain, setup, and monitor, cloud alternatives can help provide similar software services at a much lower cost.
Advanced Security
Since you aren’t setting up these services within your organization, cloud service providers usually have some type of enhanced cloud security features set in place either by default or as plugins.
Different Types of Cloud Actors
There are many different types of cloud cloud technologies with many different uses. However in terms of the organizational groups that use cloud technology , the NIST cloud computing reference architecture categorizes them into 5 Cloud Actors.
Cloud Consumers
These are people, organizations, or businesses that use cloud services that are provided by cloud providers. These usually span across many different industries for many different reasons.
Cloud Providers
This is an organization or business that is providing the service to cloud consumers. Cloud providers usually come as IaaS, PaaS, or SaaS service providers.
Cloud Auditors
This is a party or individual that is able to conduct independent assessments of cloud services performance , general operations, and overall security. This is to ensure that cloud providers are providing the proper security for their consumers and are optimizing their cloud architecture to prevent problems or financial losses in the long term.
Cloud Brokers
This is an entity that solely manages the use, performance, and delivery of cloud solutions. They are the man in the middle between cloud consumers and providers and are usually Major Service Providers (MSPs) or other cloud providers who make a commission by offering cloud solutions of other cloud providers.
Cloud Carriers
These are the internet service providers that provide you the connectivity to and from cloud providers and cloud consumers. They don’t play an active role in most cloud services; however, your choice on a cloud carrier depends on the services that you plan on using as a cloud consumer or cloud provider. Some providers wont allow certain port connections while other limit your bandwidth. So it is advisable for anyone interested in cloud platforms to talk to someone about their internet service provider.